JP5668191B2 - ENCRYPTED DATA MANAGEMENT DEVICE, ENCRYPTED DATA MANAGEMENT METHOD, AND ENCRYPTED DATA MANAGEMENT PROGRAM - Google Patents

Description

  The present invention relates to a technique for managing encrypted data that realizes revocation of a secret key.

The public key cryptosystem developed by Diffie and Hermann in 1976 has undergone various improvements and functional enhancements. In 2001, Bonnet and Franklin developed a public key cryptosystem called ID-based cryptography based on pairing operations. In recent years, research on methods based on pairing operations has been actively conducted.
As a highly functional public key cryptosystem using pairing, there are cryptosystems with high security described in Non-Patent Documents 1 and 2 (hereinafter referred to as functional cryptography). Unlike the conventional encryption, the functional encryption method can perform encryption by designating a plurality of users (secret keys) that can be decrypted with one public key.

When the public key cryptosystem is applied to a system used by a general user, the user may lose the secret key. In this case, in order to prevent the lost secret key from being misused, it is necessary to revoke the lost secret key.
As revocation methods for revoking the secret key, there are methods described in Patent Documents 1 and 2.

  In Patent Document 1, when a command for invalidating a secret key of a specific user is input, a new encryption key is input when a command for invalidating the secret key of the user and reissuing the secret key is input. And a revocation method for generating a private key pair.

  In Patent Document 2, when an access request and an access identifier are received, it is confirmed whether or not the identifier described in the list of invalidated identifiers matches the access identifier. The method is described.

JP-A-2005-51614 Japanese translation of PCT publication No. 2003-506782

T. T. et al. Okamoto, K .; Takashima, “A geometric approach on pairing and hierarchical predicates encryption”, In: Poster session, EUROCRYPT 2009. T. T. et al. Okamoto, K .; Takashima, “Fully Security Functional Encryption With General Relations form the Decision Linear Assessment,” CRYPTO 2010, Lecture Notes 20 In 23.

  Since the functional encryption method is significantly different from the conventional encryption method, the secret key revocation method applied to the conventional encryption method cannot be applied. In addition, the functional encryption method does not consider revocation in the algorithm itself, as in the conventional encryption method. Therefore, the functional encryption method cannot cope with the loss of a secret key that is likely to occur when applied to a system used by a general user.

In the revocation method described in Patent Document 1, when a secret key is revoked, a new key pair is reissued. Therefore, when this revocation method is applied to a functional encryption method, all the encrypted data must be re-encrypted so that it can be decrypted with the revoked secret key. Therefore, it may be necessary to re-encrypt a large amount of data that has been encrypted in the past, and there is a risk that enormous costs may be required.
Similarly, when the revocation method described in Patent Document 2 is applied to the functional encryption method, the encrypted data must be re-encrypted so that it can be decrypted with the revoked secret key.

  The main object of the present invention is to realize a secret key revocation method that can also be used in a functional encryption method.

The encrypted data management device according to the present invention is:
If the attribute information and key information set in the encrypted data does not correspond to the attribute information and key information set in the secret key, the encryption method cannot decrypt the encrypted data with the secret key. An encrypted data management device that manages encrypted data,
A data acquisition unit that acquires encrypted data set with attribute information from a storage device;
A revocation determination unit that determines whether the user having the attribute information set in the encrypted data acquired by the data acquisition unit includes a user whose private key has been revoked;
A key information setting unit that sets a different value in the encrypted data as the key information depending on whether or not the revocation determination unit determines that a user whose private key has been revoked;
The key information setting unit includes a data transmission unit that transmits the encrypted data in which the key information is set to the user terminal.

  The encrypted data management device according to the present invention sets a different value as key information depending on whether or not a user whose secret key is revoked is included in a user who can decrypt the encrypted data, and transmits it to the user To do. Thereby, it is possible to prevent the encrypted data from being decrypted with the expired secret key.

1 is a configuration diagram of a cryptographic processing system 10 according to a first embodiment. 1 is a configuration diagram of a user terminal 100 according to Embodiment 1. FIG. 1 is a configuration diagram of an encrypted data management apparatus 200 according to Embodiment 1. FIG. 1 is a configuration diagram of an encrypted data storage device 300 according to Embodiment 1. FIG. 1 is a configuration diagram of a key generation device 400 according to Embodiment 1. FIG. 5 is a flowchart showing a flow of encrypted data registration processing according to the first embodiment. 5 is a flowchart showing a flow of encrypted data acquisition processing according to the first embodiment. FIG. 9 is a configuration diagram of an encrypted data management apparatus 200 according to Embodiment 3. FIG. 5 is a configuration diagram of an encrypted data storage device 300 according to a third embodiment. 10 is a flowchart showing a flow of encrypted data registration processing according to the third embodiment. 10 is a flowchart showing a flow of encrypted data acquisition processing according to the third embodiment. The figure which shows an example of the hardware constitutions of the user terminal 100, the encryption data management apparatus 200, the encryption data storage apparatus 300, and the key generation apparatus 400.

Embodiment 1 FIG.
In the first embodiment, a method for realizing a secret key revocation method in the functional encryption method described in Non-Patent Document 1 will be described.

First, the functional encryption method described in Non-Patent Document 1 will be described by simplifying only the portions necessary for the description of this embodiment.
The functional encryption methods described in Non-Patent Document 1 include Setup algorithm, KeyGen algorithm, Enc algorithm, and Dec algorithm.

The Setup algorithm is an algorithm that generates a public parameter pk and a master secret key sk.
In the Setup algorithm, a parameter param of the dual pairing vector space and a base B and a base B ^* which are dual orthonormal bases associated by the pairing operation are generated. The parameter param and the base B are the public parameters pk, and the base B ^* is the master secret key sk.
Note that the basis B has basis vectors b ₁ , b ₂ ,. . . , B _{n + 2} and the basis B ^* is a basis vector b ^* ₁ , b ^* ₂ ,. . . , B ^* _{n + 2} . That is, the bases B and B ^* have n + 2 base vectors (n is an integer of 1 or more).

The KeyGen algorithm is an algorithm that generates a user secret key k ^* .
In the KeyGen algorithm, as shown in Equation 1, a user secret key k ^* is generated using the base B ^* included in the master secret key sk.
<Formula 1>
k ^* : = σ (v ₁ b ^* ₁ + ... + v _n b ^* _n ) + b ^* _{n + 1}
Here, σ is a random value. v ₁ ,. . . , V _n is a such as attribute information of the user is given a user secret key k ^*.

The Enc algorithm is an algorithm for generating encrypted data c.
In the Enc algorithm, as shown in Expression 2, the element c ₁ of the encrypted data c is generated using the base B included in the public parameter pk.
<Formula 2>
c ₁ : = ω (x ₁ b ₁ + ... + x _n b _n ) + ζb _{n + 1} + φb _{n + 2}
Here, ω, ζ, and φ are random values. x ₁ ,. . . , X _n are attribute information of a user who can decrypt the encrypted data c.
Further, the Enc algorithm, as shown in Equation 3, using the parameter param included in the public parameter pk, element _{c 2} of the encrypted data c is generated.
<Formula 3>
c ₂ : = e (g, g) ^ζ · m
Here, g is information included in the parameter param and is an element of the group G constituting the dual pairing vector space. m is a message. e (g, g) is a pairing operation for the element g and the element g.

The Dec algorithm is an algorithm for decrypting the encrypted data c with the user secret key k ^* .
In the Dec algorithm, the calculation shown in Expression 4 is executed, the encrypted data c is decrypted with the user secret key k ^* , and m ′ is extracted.
<Formula 4>
m ′: = c ₂ / e (c ₁ , k ^* )
Here, e (c ₁ , k ^* ) is a pairing operation for the element c ₁ and the user secret key k ^* .

In the Dec algorithm, basis vectors ^b _* 1 in the user secret key ^{k *,.} . . , ^B _{* n} set attribute information or the like to _{(v 1, ..., v n} ) and basis vectors _b 1 in element _{c 1,.} . . , B _{n corresponds} to the attribute information (x ₁ ,..., X _n ) set in _n , the extracted m ′ = m.
If the attribute information etc. (v ₁ ,..., V _n ) and the attribute information etc. (x ₁ ,..., X _n ) correspond, Σ _{i = 1} ⁿ v _i · x _i = 0 It is.

Pairing operation e (sg, tg) = e (g, g) ^st . Therefore, e (c ₁ , k ^* ) = e (g, g) ^Y. Here, Y = ωσ (x ₁ · v ₁ +... X _n · v _n ) + ζ. Therefore, if Σ _{i = 1} ⁿ v _i · x _i = 0, Y = ζ and e (c ₁ , k ^* ) = e (g, g) ^ζ .
Since c ₂ : = e (g, g) ^ζ · m as shown in Equation 3, if the calculation of Equation 4 is performed, if Σ _{i = 1} ⁿ v _i · x _i = 0, m ′ = m.

  In the following description, n = 4 will be described for the sake of simplicity.

FIG. 1 is a configuration diagram of a cryptographic processing system 10 according to the first embodiment.
The cryptographic processing system 10 realizes cryptographic processing based on the functional cryptographic scheme described in Non-Patent Documents 1, 2 and the like. The cryptographic processing system 10 includes a plurality of user terminals 100, an encrypted data management device 200, an encrypted data storage device 300, and a key generation device 400. Each user terminal 100, encrypted data management device 200, encrypted data storage device 300, and key generation device 400 are connected via a network 500 such as the Internet.

FIG. 2 is a configuration diagram of the user terminal 100 according to the first embodiment.
The user terminal 100 is a terminal used by the user, and encrypts and decrypts data. The user terminal 100 includes an encrypted data generation unit 110, a data transmission unit 120, a data reception unit 130, a decryption unit 140, and a key management unit 150.

FIG. 3 is a configuration diagram of the encrypted data management apparatus 200 according to the first embodiment.
The encrypted data management device 200 manages encrypted data between the user terminal 100 and the encrypted data storage device 300. The encrypted data management apparatus 200 includes a data reception unit 210 (data acquisition unit), a revocation determination unit 220, a key information setting unit 230, a data transmission unit 240, a revocation information management unit 250, and a key management unit 260.

FIG. 4 is a configuration diagram of the encrypted data storage device 300 according to the first embodiment.
The encrypted data storage device 300 stores encrypted data. The encrypted data storage device 300 includes a data reception unit 310, a data operation unit 320, a data transmission unit 330, and an encrypted data management unit 340.

FIG. 5 is a configuration diagram of the key generation apparatus 400 according to the first embodiment.
The key generation device 400 generates a user secret key k ^* , a master secret key sk, and a public parameter pk. The key generation device 400 includes an instruction reception unit 410, a key generation unit 420, a key transmission unit 430, and a master key storage unit 440.

The main processes of the cryptographic processing system 10 include an encrypted data registration process and an encrypted data acquisition process. The encrypted data registration process is a process in which the user terminal 100 registers encrypted data in the encrypted data storage device 300. The encrypted data acquisition process is a process in which the user terminal 100 acquires encrypted data from the encrypted data storage device 300.
The encrypted data registration process and the encrypted data acquisition process have three preconditions.
Therefore, after explaining the three preconditions, the encrypted data registration process and the encrypted data acquisition process will be described.

<Prerequisite 1>
The user terminal 100 needs to acquire the user secret key k ^* in the functional encryption method.
The instruction receiving unit 410 of the key generation device 400 receives a key generation instruction from the user terminal 100 or the like. Then, the key generation unit 420 of the key generation device 400 executes the Setup algorithm by the processing device, generates the public parameter pk and the master secret key sk, and stores them in the master key storage unit 440. In addition, the key generation unit 420 executes the KeyGen algorithm by the processing device, and generates the user secret key k ^* using the base B ^* included in the master secret key sk.
Then, the key transmission unit 430 transmits the public parameter pk and the user secret key k ^* to the user terminal 100. The data receiving unit 130 of the user terminal 100 receives the public parameter pk and the user secret key k ^* and stores them in the key management unit 150. Further, the key transmission unit 430 transmits the public parameter pk to the encrypted data management apparatus 200. The data receiving unit 210 of the encrypted data management apparatus 200 receives the public parameter pk and stores it in the key management unit 260.
Note that the Setup algorithm need only be executed once and does not need to be executed every time the user secret key k ^* is generated.
When the key transmission unit 430 transmits the user secret key k ^* to the user terminal 100, user authentication is performed to confirm that the terminal is a legitimate user terminal. When the key transmission unit 430 transmits the user secret key k ^* to the user terminal 100, a secure communication path using SSL (Secure Socket Layer) or the like is used to prevent eavesdropping and tampering. That is, the user secret key k ^* is prevented from being illegally used by a malicious third party.

Here, the key generation unit 420 generates a user secret key k ^* as shown in Equation 5.
<Formula 5>
k ^* = σ ₁ (v ₁ b ^* ₁ + v ₂ b ^* ₂ ) + σ ₂ (v ₃ b ^* ₃ + v ₄ b ^* ₄ ) + b ^* ₅
Here, σ ₁ and σ ₂ are random values. v ₁ and v ₂ are key information. Here, a generation number whose value is incremented each time a new key is issued is used as the key information. v ₃ and v ₄ are user attribute information to which the user secret key k ^* is given.
When the value of the generation number is ρ and the value of the attribute information is α, the user secret key k ^* is generated here as shown in Equation 6.
<Formula 6>
k ^* = σ ₁ (ρb ^* ₁ + b ^* ₂ ) + σ ₂ (αb ^* ₃ + b ^* ₄ ) + b ^* ₅
That is, v ₁ : = ρ, v ₂ : = 1, v ₃ : = α, v ₄ : = 1.

The key generation unit 420 sets the value of the generation number to 1 when first generating the user secret key k ^* for a certain user. The user has lost the user secret key k ^*, in the case of generating a user secret key k ^* again, and 2 increments the value of the generation number. Thereafter, when the user secret key k ^* is lost and regenerated, the incremented generation number value is used.

<Precondition 2>
The user terminal 100 needs to acquire the domain public key dpk.
The domain public key dpk is a public key corresponding to the secret key (domain secret key dsk) of the encrypted data management apparatus 200. The key pair of the domain secret key dsk and the domain public key dpk may be a key pair in another public key cryptosystem instead of a key pair in the functional cryptosystem.
The key generation unit 420 generates a key pair of the domain secret key dsk and the domain public key dpk, and the key transmission unit 430 transmits the domain public key dpk to the user terminal 100, and the domain secret key dsk is encrypted data management. Transmit to device 200. The data receiving unit 130 of the user terminal 100 receives the domain public key dpk and stores it in the key management unit 150. Further, the data receiving unit 210 of the encrypted data management apparatus 200 receives the domain public key dpk and stores it in the key management unit 260.
When the key transmission unit 430 transmits the domain secret key dsk to the encrypted data management apparatus 200, a secure communication path using SSL or the like is used to prevent eavesdropping and tampering.

<Precondition 3>
The encrypted data management apparatus 200 needs to acquire the revocation information.
The revocation information is information indicating the identification information of the user who lost the user secret key k ^*, and the user secret key k ^* generation number that was lost.
If the user has lost the user secret key k ^*, the data transmission unit 120 of the user terminal 100, revocation information and identification information of the user who lost the user secret key k ^*, and the user secret key k ^* generation number that was lost To the encrypted data management apparatus 200. The data receiving unit 210 of the encrypted data management apparatus 200 receives the revocation information and stores it in the revocation information management unit 250.
In addition, when receiving the revocation information, the data receiving unit 210 performs user authentication and confirms that the user who has reported the revocation is the principal.

<Encrypted data registration process>
FIG. 6 is a flowchart showing a flow of encrypted data registration processing according to the first embodiment.
(S11: Encryption processing)
The encrypted data generation unit 110 of the user terminal 100 generates the encrypted data c by executing the Enc algorithm.

Here, the encrypted data generation unit 110 uses the base B included in the public parameter pk stored in the key management unit 150, as shown in Expression 7, by the processing device to convert the element c ₁ of the encrypted data c. Generate.
<Formula 7>
c ₁ : = ω ₁ (r ₁ b ₁ + r ₂ b ₂ ) + ω ₂ (x ₃ b ₃ + x ₄ b ₄ ) + ζb ₅ + φb ₆
Here, ω ₁ , ω ₂ , r ₁ , r ₂ , ζ, and φ are random values. In x ₃ and x ₄ , attribute information of a user who can decrypt the encrypted data c is set.
When the value of the attribute information is α, the encrypted data c is generated here as shown in Expression 8.
<Formula 8>
c ₁ : = ω ₁ (r ₁ b ₁ + r ₂ b ₂ ) + ω ₂ (b ₃ −αb ₄ ) + ζb ₅ + φb ₆
That is, x ₃ : = 1, x ₄ : = − α.

Also, the encrypted data generation unit 110 generates the element c ₂ of the encrypted data c using the parameter param included in the public parameter pk stored in the key management unit 150 as shown in Expression 9 by the processing device. To do.
<Formula 9>
c ₂ : = e (g, g) ^ζ · m

Further, the encrypted data generation unit 110, the processing device, the domain public key dpk stored in the key management unit 150, an omega ₁ r ₁ the encrypted E (ω ₁ r _1), the omega ₁ r ₂ encryption E (ω ₁ r ₂ ) is generated.
Further, the encrypted data generation unit 110 generates user identification information indicated by the attribute information set to the element c ₁ as the user list ul.

(S12: First data transmission process)
The data transmission unit 120 of the user terminal 100 is a cipher including elements c ₁ , c ₂ , E (ω ₁ r ₁ ), E (ω ₁ r ₂ ), ul generated by the encrypted data generation unit 110 by the communication device. The encrypted data c is transmitted to the encrypted data management apparatus 200.

(S13: Second data transmission process)
The data receiving unit 210 of the encrypted data management device 200 receives the encrypted data c from the user terminal 100 by the communication device. The data transmission unit 240 of the encrypted data management apparatus 200 attaches the related information r to the encrypted data c and transmits it to the encrypted data storage apparatus 300. The related information r is the creator of the encrypted data c, the reception date and time of the encrypted data c, etc., and is information used when searching for the encrypted data c later.

(S14: Data storage process)
The data receiving unit 310 of the encrypted data storage device 300 receives the encrypted data c and the related information r from the encrypted data management device 200 through the communication device. The data operation unit 320 of the encrypted data storage device 300 stores the encrypted data c and the related information r in the encrypted data management unit 340 in association with each other.

(S15: Result transmission process)
The data transmission unit 330 of the encrypted data storage device 300 transmits, to the encrypted data management device 200, result information indicating whether or not the encrypted data c has been successfully stored by the communication device.

(S16: Result transfer process)
The data receiving unit 210 of the encrypted data management apparatus 200 receives the result information from the encrypted data storage apparatus 300 through the communication apparatus. The data transmission unit 240 of the encrypted data management apparatus 200 transmits the result information to the user terminal 100 through the communication apparatus.

(S17: Result reception process)
The data receiving unit 130 of the user terminal 100 receives the result information from the encrypted data management device 200 by the communication device.

<Encrypted data acquisition processing>
FIG. 7 is a flowchart showing a flow of encrypted data acquisition processing according to the first embodiment.
(S21: Keyword transmission process)
The data transmission unit 120 of the user terminal 100 transmits a keyword capable of specifying the encrypted data c to the encrypted data management device 200 by the communication device.

(S22: Keyword transfer process)
The data receiving unit 210 of the encrypted data management apparatus 200 receives the keyword from the user terminal 100 by the communication apparatus. The data transmission unit 240 of the encrypted data management device 200 transmits the keyword to the encrypted data storage device 300 through the communication device.

(S23: Data search process)
The data receiving unit 310 of the encrypted data storage device 300 receives the keyword from the encrypted data management device 200 through the communication device. The data operation unit 320 of the encrypted data storage device 300 extracts, from the encrypted data management unit 340, the encrypted data c having the related information r that matches the keyword by the processing device.

(S24: First data transmission process)
The data transmission unit 330 of the encrypted data storage device 300 transmits the extracted encrypted data c to the encrypted data management device 200 through the communication device.

(S25: Generation number changing process)
The data receiving unit 210 of the encrypted data management device 200 receives the encrypted data c from the encrypted data storage device 300 through the communication device.
The revocation determination unit 220 of the encrypted data management apparatus 200 determines whether or not the identification information of the user included in the user list ul of the encrypted data c is included in the revocation information stored in the revocation information management unit 250 by the processing device. To determine. The key information setting unit 230 resets the random values r ₁ and r ₂ in the element c ₁ of the encrypted data c to different values according to the determination result of the revocation determination unit 220 by the processing device, and the element c ₁ ′. Is generated.
Specifically, the key information setting unit 230 resets the random values r ₁ and r ₂ as follows. Here, showing elements _{c 1} 'which resets the random number _r 1, _{r 2} in the element _{c 1} shown in Equation 8.

When the user identification information included in the user list ul is not included in the revocation information stored in the revocation information management unit 250, the key information setting unit 230 generates an element c ₁ ′ as shown in Expression 10. .
<Formula 10>
c ₁ ′: = ω ₁ (b ₁ −b ₂ ) + ω ₂ (b ₃ −αb ₄ ) + ζb ₅ + φb ₆
That is, r ₁ is reset to 1, and r ₂ is reset to -1. -1 after resetting r ₂ is an initial value of −1 × generation number.
In addition, by performing the calculation shown in Expression 11, the element c ₁ ′ shown in Expression 10 can be obtained from the element c ₁ shown in Expression 8.
<Formula 11>
c ₁ ′: = c ₁ − (ω ₁ r ₁ b ₁ + ω ₁ r ₂ b ₂ ) + (ω ₁ b ₁ −ω ₁ b ₂ )
Here, ω ₁ r ₁ and ω ₁ r ₂ decrypt the elements E (ω ₁ r ₁ ) and E (ω ₁ r ₂ ) of the encrypted data c with the domain secret key dsk stored in the key management unit 260. Can be obtained. B ₁ and b ₂ are obtained from the base B included in the public parameter pk.

When the user identification information included in the user list ul is included in the revocation information stored in the revocation information management unit 250, the key information setting unit 230 generates the element c ₁ ′ as shown in Expression 12. .
<Formula 12>
c ₁ ′: = ω ₁ (b ₁ −ρ ₁ b ₂ ) + ω ₂ (b ₃ −αb ₄ ) + ζb ₅ + φb ₆
That is, r ₁ is reset to 1 and r ₂ is reset to −ρ ₁ . -ρ _{1 obtained} by resetting r ₂ is −1 × (the value of the generation number of the revoked user secret key k ^* + 1). That is, when the user A is included in the user list ul and 1 is included in the revocation list as the generation number of the user secret key k ^* of the revoked user A, −ρ ₁ is −1 × (1 + 1) = −2.
Note that by performing the calculation shown in Expression 13, the element c ₁ ′ shown in Expression 12 can be obtained from the element c ₁ shown in Expression 8.
<Formula 13>
c ₁ ′: = c ₁ − (ω ₁ r ₁ b ₁ + ω ₁ r ₂ b ₂ ) + (ω ₁ b ₁ −ω ₁ ρ ₁ b ₂ )

(S26: Second data transmission process)
Data transmission unit 240 of the encrypted data management device 200, a communication device, the _'encrypted data c is replaced with' an element c ₁ of the encrypted data c element c _1, and transmits to the user terminal 100.

(S27: Decoding process)
The encrypted data generation unit 110 of the user terminal 100 receives the encrypted data c ′ from the encrypted data management device 200 through the communication device. The decryption unit 140 of the user terminal 100 decrypts the encrypted data c ′ with the user secret key k ^* by executing the Dec algorithm.
Here, the decryption unit 140 performs the calculation shown in Expression 14 by the processing device, thereby decrypting the encrypted data c ′ with the user secret key k ^* and extracting the message m ′.
<Formula 14>
m ′: = c ₂ / e (c ₁ , k ^* )

As described above, the basis vectors ^b _* 1 in the user secret key ^{k *,.} . . , ^B _{* n} set attribute information or the like to _{(v 1, ..., v n} ) and basis vectors _b 1 in element _{c 1,.} . . , B _{n corresponds} to the attribute information (x ₁ ,..., X _n ) set in _n , the extracted m ′ = m. Here, the attribute information and the like (v ₁ ,..., V _n ) and the attribute information and the like (x ₁ ,..., X _n ) correspond to Σ _{i = 1} ⁿ v _i · x _i = 0.

It is assumed that the user terminal 100 has a user secret key k ^* that is generated first and has a generation number value of 1. That is, it is assumed that the user terminal 100 has the user secret key k ^* shown in Expression 15 in which 1 is set in ρ of Expression 6.
<Formula 15>
k ^* = σ ₁ (b ^* ₁ + b ^* ₂ ) + σ ₂ (αb ^* ₃ + b ^* ₄ ) + b ^* ₅
Further, in S11, the element _{c 1} of the encrypted data c is assumed to be generated as shown in Equation 16 (= Equation 8).
<Formula 16>
c ₁ : = ω ₁ (r ₁ b ₁ + r ₂ b ₂ ) + ω ₂ (b ₃ −αb ₄ ) + ζb ₅ + φb ₆

When the user identification information included in the user list ul is not included in the revocation information, the element c ₁ ′ is generated as shown in Expression 17 (= Expression 10).
<Formula 17>
c ₁ ′: = ω ₁ (b ₁ −b ₂ ) + ω ₂ (b ₃ −αb ₄ ) + ζb ₅ + φb ₆
In this case, v ₁ = 1, v ₂ = 1, v ₃ = α, v ₄ = 1, x ₁ = 1, x ₂ = −1, x ₃ = 1, x ₄ = −α, Σ _{i = 1} ⁴ v _i · x _i = 1−1 + α−α = 0. Accordingly, the message m, which is extracted with S26 'is equal to the message m, which is set to the element c ₂ of the encrypted data c at S11.
That is, the encrypted data c can be decrypted with the user secret key k ^* .

On the other hand, when the user identification information included in the user list ul is included in the revocation information, the element c ₁ ′ is generated as shown in Expression 18. Here, it is assumed that the user secret key k ^* whose generation number is 1 has expired.
<Formula 18>
c ₁ ′: = ω ₁ (b ₁ −2b ₂ ) + ω ₂ (b ₃ −αb ₄ ) + ζb ₅ + φb ₆
In this case, in the user secret key k ^* , the basis vectors b ^* ₁ ,. . . , B ^* ₄ set to v ₁ ,. . . , V ₄ are v ₁ = 1, v ₂ = 1, v ₃ = α, v ₄ = 1. Further, in the element c ₁ ′, the basis vectors b ₁ ,. . . , B ₄ set to the coefficients of x ₁ ,. . . , X ₄ are x ₁ = 1, x ₂ = −2, x ₃ = 1, x ₄ = −α, and Σ _{i = 1} ⁴ v _i · x _i = 1−2 + α−α ≠ 0. . Accordingly, the message m, which is extracted with S26 'is not equal to the message m, which is set to the element c ₂ of the encrypted data c at S11.
That is, the encrypted data c cannot be decrypted with the expired user secret key k ^* .

However, the user terminal 100, asked to re-generate the user secret key k ^* to the key generation device 400, and has obtained the user secret key k ^* 2 is attached as the value of the generation number. That is, it is assumed that the user terminal 100 has acquired the user secret key k ^* shown in Expression 19 in which 2 is set in ρ of Expression 6.
<Formula 19>
k ^* = σ ₁ (2b ^* ₁ + b ^* ₂ ) + σ ₂ (αb ^* ₃ + b ^* ₄ ) + b ^* ₅
In this case, v ₁ = 2, v ₂ = 1, v ₃ = α, v ₄ = 1, x ₁ = 1, x ₂ = −2, x ₃ = 1, x ₄ = −α, Σ _{i = 1} ⁴ v _i · x _i = 2-2 + α−α = 0. Accordingly, the message m, which is extracted with S26 'is equal to the message m, which is set to the element c ₂ of the encrypted data c at S11.
That is, when the user secret key k ^* is lost, the encrypted data c can be decrypted by regenerating the user secret key k ^* .

It is also conceivable that the user terminal 100 acquires the encrypted data c from the encrypted data storage device 300 without going through the encrypted data management device 200. However, in this case, the element c ₁ of the encrypted data c is as shown in Expression 20 (= Expression 8).
<Formula 20>
c ₁ : = ω ₁ (r ₁ b ₁ + r ₂ b ₂ ) + ω ₂ (b ₃ −αb ₄ ) + ζb ₅ + φb ₆
In this case, since the random values r ₁ and r ₂ are used, Σ _{i = 1} ⁴ v _i · x _i ≠ 0 regardless of the number of generation numbers set in the user secret key k ^* . Cannot decrypt.

As described above, in the cryptographic processing system 10 according to the first embodiment, when the user secret key k ^* is lost, the encrypted data c cannot be decrypted with the lost user secret key k ^{* and} is regenerated. In addition, the user secret key k ^* can be in a state where the encrypted data c can be decrypted. In particular, at this time, it is not necessary to perform processing such as re-encryption on the encrypted data c already stored in the encrypted data storage device 300.

Also, in the cryptographic processing system 10 according to the first embodiment, even when the user terminal 100 acquires the encrypted data c from the encrypted data storage device 300 without going through the encrypted data management device 200. The encrypted data c cannot be decrypted.
Therefore, in the cryptographic processing system 10 according to the first embodiment, the encrypted data storage device 300 is entrusted to a third party, and the encrypted data c may be leaked from the encrypted data storage device 300. Even can keep safe.

That is, in the cryptographic processing system 10 according to the first embodiment, the user attribute information and the generation number of the key are set in the user secret key k ^* . In addition, a decryptable user attribute information condition and a decryptable key generation number condition are set in the encrypted data c as AND conditions.
In the cryptographic processing system 10 according to the first embodiment, the encrypted data management device 200 that relays the processing between the user terminal 100 and the encrypted data storage device 300 is installed. When the user terminal 100 acquires the encrypted data c, the encrypted data management device 200 acquires the encrypted data c from the encrypted data storage device 300 and transmits it to the user terminal 100. At this time, the encrypted data management apparatus 200 sets the generation number of the encrypted data c to a different value depending on whether or not the user who can decrypt the encrypted data c includes a user who has revoked the user secret key k ^*. Set to. Specifically, if a revoked user is not included, an initial value is set as the generation number value. If a revoked user is included, the generation number value is not revoked. Set.
Thereby, the cryptographic processing system 10 according to the first embodiment cannot decrypt the encrypted data c with the lost user secret key k ^* without re-encrypting the encrypted data c, and the regenerated user The secret key k ^* is in a state where the encrypted data c can be decrypted.

In the above description, the user secret key k ^* is generated as shown in Equation 5. That is, the key information and the attribute information are multiplied by different random values σ ₁ and σ ₂ . However, as shown in Equation 21, the user secret key k ^* may be generated by multiplying the key information and the attribute information by the same random value σ.
<Formula 21>
k ^* = σ (v ₁ b ^* ₁ + v ₂ b ^* ₂ + v ₃ b ^* ₃ + v ₄ b ^* ₄ ) + b ^* ₅

In the above description, the element c ₁ of the encrypted data c is generated as shown in Expression 7. That is, the key information and the attribute information are multiplied by different random values ω ₁ and ω ₂ . However, as shown in Expression 22, the element c ₁ may be generated by multiplying the key information and the attribute information by the same random value ω.
<Formula 22>
c ₁ : = ω (r ₁ b ₁ + r ₂ b ₂ + x ₃ b ₃ + x ₄ b ₄ ) + ζb ₅ + φb ₆

Further, as shown in Expression 23, the element c ₁ may be generated without using the random value ω ₁ . This is because r ₁ and r ₂ themselves are random values, and it is not necessary to multiply the random values.
<Formula 23>
c ₁ : = r ₁ b ₁ + r ₂ b ₂ + ω ₂ (x ₃ b ₃ + x ₄ b ₄ ) + ζb ₅ + φb ₆

Also, as shown in Expression 24, an element c ₁ may be generated by setting coefficients of some base vectors (b _{1 in} Expression 24) for setting key information to 0. This is because the base vectors b ₁ and b ₂ are revalued by the encrypted data management apparatus 200, and therefore it is sufficient to set a random value as the coefficient of one of the base vectors.
<Formula 24>
c ₁ : = r ₂ b ₂ + ω ₂ (x ₃ b ₃ + x ₄ b ₄ ) + ζb ₅ + φb ₆

Further, as shown in equation 25, without setting a random number to the base vector for setting the key information, encrypts the other part the domain public key may generate an element c _1. By setting a random value to the basis vector for setting the key information, when the user terminal 100 directly obtains the encrypted data c from the encrypted data storage device 300, it cannot be decrypted. However, the same effect can be obtained by encrypting the other parts with the domain public key.
<Formula 25>
c ₁ : = E (ω ₂ (x ₃ b ₃ + x ₄ b ₄ ) + ζb ₅ + φb ₆ )

Further, in the above description, for the sake of simplicity, the description has been made using the user secret key k ^* in which α is set as the value of the attribute information and the encrypted data c.
However, in practice, the value α ₁ indicating the company A to which the user U belongs, the value α ₂ indicating the B section, the value α ₃ indicating the C section, and α ₄ indicating the user U are set as the attribute information values. The user secret key k ^* may be used. For example, the user secret key k ^* shown in Expression 26 may be used. Here, 1 is set as the value of the generation number. In this case, n = 10.
<Formula 26>
_{^{k * = σ 1 (b *}} 1 + b * 2) + σ 2 (α 1 b * 3 + b * 4 + α 2 b * 5 + b * 6 + α 3 b * 7 + b * 8 + α 4 b * 9 + b * 10) + b ^* ₁₁
Further, the encrypted data in which the value α ₁ indicating the A company and the value α ₂ indicating the B part are set as the attribute information values so that any user belonging to the B part of the A company can decrypt it. c may be used. For example, the encrypted data c shown in Expression 27 may be used.
<Formula 27>
c ₁ : = ω ₁ (r ₁ b ₁ + r ₂ b ₂ ) + ω ₂ (b ₃ −α ₁ b ₄ + b ₅ −α ₂ b ₆ ) + ζb ₁₁ + φb ₁₂

When the user identification information included in the user list ul is included in the revocation information, the element c ₁ ′ is generated as shown in Expression 28.
<Formula 28>
c ₁ : = ω ₁ (b ₁ −b ₂ ) + ω ₂ (b ₃ −α ₁ b ₄ + b ₅ −α ₂ b ₆ ) + ζb ₁₁ + φb ₁₂
In this case, v ₁ = 1, v ₂ = 1, v ₃ = α ₁ , v ₄ = 1, v ₅ = α ₂ , v ₆ = 1, v ₇ = α ₃ , v ₈ = 1, v ₉ = α ₄ , v ₁₀ = 1, x ₁ = 1, x ₂ = −1, x ₃ = 1, x ₄ = −α ₁ , x ₅ = 1, x ₆ = −α ₂ , x ₇ = 0, x _{Since 8} = 0, x ₉ = 0, and x ₁₀ = 0, Σ _{i = 1} ¹⁰ v _i · x _i = σ ₁ ω ₁ (1-1) + σ ₂ ω ₂ (α ₁ −α ₁ + α ₂ − α ₂ + 0 + 0 + 0 + 0) = 0. Accordingly, the message m, which is extracted with S26 'is equal to the message m, which is set to the element c ₂ of the encrypted data c at S11.

On the other hand, when the user identification information included in the user list ul is included in the revocation information, the element c ₁ ′ is generated as shown in Expression 29. Here, it is assumed that the user secret key k ^* whose generation number is 1 has expired.
<Formula 29>
c ₁ : = ω ₁ (b ₁ −2b ₂ ) + ω ₂ (b ₃ −α ₁ b ₄ + b ₅ −α ₂ b ₆ ) + ζb ₁₁ + φb ₁₂
Note that if one user U ₁ belonging to the B section loses the user secret key k ^* , the element c ₁ can be expressed even when another user U ₂ belonging to the B section acquires the encrypted data c. Instead of the element c ₁ ′ shown in FIG. 28, the element c ₁ ′ shown in Expression 29 is converted. Therefore, not only the user U ₁ but also other users belonging to the B section such as the user U ₂ cannot re-encrypt the encrypted data c unless the user secret key k ^* is recreated.

Embodiment 2. FIG.
In the second embodiment, a method for realizing a secret key revocation method in the functional encryption method described in Non-Patent Document 2 will be described.

First, the functional encryption method described in Non-Patent Document 2 will be described by simplifying only the portions necessary for the description of this embodiment. In particular, the span program and secret sharing used in the functional encryption method described in Non-Patent Document 2 will be omitted or simplified.
The functional encryption scheme described in Non-Patent Document 2 includes a Setup algorithm, a KeyGen algorithm, an Enc algorithm, and a Dec algorithm, similar to the functional encryption scheme described in Non-Patent Document 1.

The Setup algorithm is an algorithm that generates a public parameter pk and a master secret key sk.
In the Setup algorithm, the parameter param of the dual pairing vector space and t = 0,. . . , D (d is an integer of 1 or more), a base B _t and a base B ^* _t that are orthonormal bases for each t are generated. The parameter param and the base B _t are the public parameters pk, and the base B ^* _t is the master secret key sk.
Note that the basis B ₀ is the basis vector b _0,1 , b _0,2,. . . , B _0,5 and the basis B ^* ₀ is the basis vector b ^* _0,1 , b ^* _0,2,. . . , B ^* _0,5 . That is, each of the bases B ₀ and B ^* ₀ has five base vectors. Also, t = 1,. . . , Base _{B t} for each t of d, the basis vector _b t, _{1, b t,} 2,. . . , B _{t, 3nt + 1} and the basis B ^* _t is the basis vector b ^* _{t, 1} , b ^* _{t, 2 ,.} . . , B ^* _{t, 3nt + 1} . That is, each of the bases B _t and B ^* _t has 3nt + 1 (nt is an integer of 1 or more) base vectors.
However, strictly speaking, it is not necessary to include a base vector to which 0 is always assigned as a coefficient in the public parameter pk and the master secret key sk. Therefore, the base B ₀ included in the public parameter pk has only the base vectors b _0,1 , b _0,3 , b _0,5 , and the base B ^* ₀ included in the master secret key sk is the base vector b ^* _{0. ^, 1, b} * ^_0,3, it may have only _{b * 0, 4.} Also, t = 1,. . . , D, the base B _t included in the public parameter pk is the basis vector b _{t, 1} ,,. . . , B _{t, nt} , b _{t, 3 nt + 1} and the base B ^* _t included in the master secret key sk is the base vector b ^* _{t, 1 ,.} . . , B ^* _{t, nt + 1} , b ^* _{t, 2nt + 1,.} . . , B ^* _{t, 3nt} only.

The KeyGen algorithm is an algorithm that generates a user secret key k ^* .
In the KeyGen algorithm, as shown in Equation 30, using the basis B ^* _t included in the master secret key sk, the element k ^* ₀ and t = 1,. . . , The user secret key ^{k *} having an element ^k _{* t} for each t of d is generated.
<Formula 30>
_{^{k * 0: = (δ,}} 0,1, φ 0, 0) B * 0
k ^* _t : = (δv ^→ _t , 0 ^nt , φ ^→ _t , 0) B ^* _t
Here, δ, φ ₀ , φ ^→ _t : = φ _{t, 1} ,. . . , Φ _{t, nt} are random values. v ^→ _t : = v _{t, 1} ,. . . , V _{t, nt} are attribute information of the user to _whom the user secret key k ^* is given.
In addition, (z ₁ ,..., Z _N ) B ^* _t : = Σ _{i = 1} ^N z _i b ^* _{t, i} . _{^{That, k * 0: = (δ}} , 0,1, φ 0, 0) B * 0: = a _{^{δb * 0,1 + b * 0,3 +}} φ 0 b * 0,4. _{^{Also, k * t: = (δv}} → t, 0 nt, φ → t, 0) B * t: = Σ i = 1 nt δv t, i b * t, i + Σ i = 1 nt φ t, i b ^* _{T, 2nt + i} .

The Enc algorithm is an algorithm for generating encrypted data c.
In the Enc algorithm, as shown in Expression 31, using the base B included in the public parameter pk, the element c ₀ of the encrypted data c, t = 1,. . . , L (L is an integer equal to or less than d) and element c _t for each t is generated.
<Formula 31>
c ₀ : = (− s ₀ , 0, ζ, 0, η ₀ ) B ₀
c _t : = (s _t e ^→ _{t, 1} + θ _t x ^→ _t , 0 ^nt , 0 ^nt , η _t ) B _t
Here, e ^→ _{t, 1} is a vector having nt elements, the first element is 1 and the remaining elements are 0. Further, s ₀ = Σ _{i = 1} ^L s _i . ζ, θ _t , η ₀ , and η _t are random values. _{xt, 1,.} . . , _{Xt, nt} are user attribute information that can decrypt the encrypted data c.
Also, (z ₁ ,..., Z _N ) B _t : = Σ _{i = 1} ^N z _i b _{t, i} . That is, c ₀ : = (− s ₀ , 0, ζ, 0, η ₀ ) B ₀ : = − s ₀ b _0,1 + ζb _0,3 + η ₀ b _0,5 . Also, c _t : = (s _t e ^→ _{t, 1} + θ _t x ^→ _t , 0 ^nt , 0 ^nt , η _t ) B _t : = Σ _{i = 1} ^nt (s _t e ^→ _{t, 1} + θ _t x _{t , I} ) b _{t, i} + η _t b _{3nt + 1} .

In the Enc algorithm, as shown in Expression 32, the element cd _{+ 1} of the encrypted data c is generated using the parameter param included in the public parameter pk.
<Formula 32>
c _{d + 1} : = e (g, g) ^ζ · m
Here, g is information included in the parameter param and is an element of the group G constituting the dual pairing vector space. m is a message. e (g, g) is a pairing operation for the element g and the element g.

The Dec algorithm is an algorithm for decrypting the encrypted data c with the user secret key k ^* .
In the Dec algorithm, the calculation shown in Expression 33 is executed, the encrypted data c is decrypted with the user secret key k ^* , and m ′ is extracted.
<Formula 33>
m ′: = c _{d + 1} / (e (c ₀ , k ^* ₀ ) · Π _{t = 1} ^L e (c _t , k ^* _t ))
Here, e (c ₀ , k ^* ₀ ) is a pairing operation for the element c ₀ and the user secret key k ^* ₀ , and e (c _t , k ^* _t ) is the element c _t and the user secret. This is a pairing operation for the key k ^* _t .

In the Dec algorithm, t = 1,. . . , L, the attribute information set for the element k ^* _t in the user secret key k ^* (v ^→ _t ) and the attribute information set for the element c _t in the encrypted data c (x ^→ _t ) Corresponds to the extracted m ′ = m.
Attribute information etc. (v ^→ _t ) and attribute information etc. (x ^→ _t ) correspond to v ^→ _t · x ^→ _t = Σ _{i = 1} ^nt v _{t, i} · x _{t, i} = 0. It is.

Pairing operation e (sg, tg) = e (g, g) ^st . Therefore, e (c ₀ , k ^* ₀ ) = e (g, g) ^Y1 . Here, Y1 = −s ₀ + ζ. _{^{Further, Π t = 1 L e (}} c t, k * t) = (g, g) a ^Y2. Here, Y2 = Σ _{i = 1} ^L (s _i + v ^→ _t · x ^→ _t ) = Σ _{i = 1} ^L (s _i ) + Σ _{i = 1} ^L v ^→ _i · x ^→ _i . Therefore, if the _{^{Σ i = 1 L v → i}} · x → i = 0, is a ^{_{Y2 = Σ i = 1 L (}} s i).
_{^{And, e (c 0, k *}} 0) · Π t = 1 L e (c t, k * t) = e (g, g) Y3 _{^{next, Σ i = 1 L v →}} i · x → i = 0 Then, Y3 = −s ₀ + ζ + Σ _{i = 1} ^L (s _i ). As described above, since s ₀ = Σ _{i = 1} ^L s _i , Y 3 = ζ. That is, e (c ₀ , k ^* ₀ ) · Π _{t = 1} ^L e (c _t , k ^* _t ) = e (g, g) ^ζ .
As shown in Equation 32, cd _{+ 1} : = e (g, g) ^ζ · m, so if the calculation of Equation 33 is executed, Σ _{i = 1} ^L v ^→ _i · x ^→ _i = 0. Is m ′ = m.

  In the following description, for simplicity of explanation, d = 2 and L = 2, and n1 = 2 and n2 = 2 will be described.

  The configuration of the cryptographic processing system 10 according to the second embodiment is the same as the configuration of the cryptographic processing system 10 according to the first embodiment shown in FIG. The configuration of the user terminal 100, the encrypted data management device 200, the encrypted data storage device 300, and the key generation device 400 according to the second embodiment is the same as that of the user terminal 100 according to the first embodiment shown in FIG. The configuration is the same as that of the data management device 200, the encrypted data storage device 300, and the key generation device 400.

  The main processing of the cryptographic processing system 10 according to the second embodiment includes the encrypted data registration processing and the encrypted data acquisition processing, as in the cryptographic processing system 10 according to the first embodiment. There are three preconditions for the registration process and the encrypted data acquisition process.

The three preconditions are the same as those in the first embodiment except for the configuration of the user secret key k ^* generated in the precondition 1.

Here, the key generation unit 420 generates a user secret key k ^* as shown in Expression 34.
<Formula 34>
_{^{k * 0: = (δ,}} 0,1, φ 0, 0) B * 0
k ^* ₁ : = (δv ^→ ₁ , 0 ⁿ¹ , φ ^→ ₁ , 0) B ^* ₁
k ^* ₂ : = (δv ^→ ₂ , 0 ⁿ² , φ ^→ ₂ , 0) B ^* ₂
Here, δ, φ ₀ , φ ^→ ₁ and φ ^→ ₂ are random values. v ^→ ₁ : = v _1,1 , v ₁ , ₂ are key information. Here, as in the first embodiment, a generation number whose value is incremented each time a new key is issued is used as key information. v ^→ ₂ : = v _2,1 , v _2,2 is attribute information of the user to _whom the user secret key k ^* is given.
When the value of the generation number is ρ and the value of the attribute information is α, the user secret key k ^* is generated here as shown in Expression 35.
<Formula 35>
_{^{k * 0: = (δ,}} 0,1, φ 0, 0) B * 0
k ^* ₁ : = (δ (ρ, 1), 0 ⁿ¹ , φ ^→ ₁ , 0) B ^* ₁
k ^* ₂ : = (δ (α, 1), 0 ⁿ² , φ ^→ ₂ , 0) B ^* ₂
That is, v _1,1 : = ρ, v _1,2 : = 1, v _2,1 : = α, v _2,2 : = 1.

<Encrypted data registration process>
With reference to FIG. 6, the encrypted data registration process according to the second embodiment will be described with a focus on differences from the encrypted data registration process according to the first embodiment.
(S11: Encryption processing)
The encrypted data generation unit 110 of the user terminal 100 generates the encrypted data c by executing the Enc algorithm.

Here, the encrypted data generation unit 110 uses the base B included in the public parameter pk stored in the key management unit 150, as shown in Expression 36, by the processing device, and the elements c ₀ , c ₁ and c ₂ are generated.
<Formula 36>
c ₀ : = (− s ₀ , 0, ζ, 0, η ₀ ) B ₀
c ₁ : = (s ₁ e ^→ _1,1 + θ ₁ (1, r), 0 ⁿ¹ , 0 ⁿ¹ , η ₁ ) B ₁
c ₂ : = (s ₂ e ^→ _2,1 + θ ₂ x ^→ ₂ , 0 ⁿ² , 0 ⁿ² , η ₂ ) B ₂
Here, s ₀ = s ₁ + s ₂ . ζ, θ ₁ , θ ₂ , η ₀ , η ₁ , η ₂ , r are random values. x _2,1 , x _2,2 are attribute information of a user who can decrypt the encrypted data c.
When the value of the attribute information is α, the encrypted data c is generated here as shown in Expression 37.
<Formula 37>
c ₀ : = (− s ₀ , 0, ζ, 0, η ₀ ) B ₀
c ₁ : = (s ₁ e ^→ _1,1 + θ ₁ (1, r), 0 ⁿ¹ , 0 ⁿ¹ , η ₁ ) B ₁
c ₂ : = (s ₂ e ^→ _2,1 + θ ₂ (1, −α), 0 ⁿ² , 0 ⁿ² , η ₂ ) B ₂
That is, x _2,1 : = 1, x _2,2 : = − α.

Also, the encrypted data generation unit 110 generates the element cd _{+ 1} of the encrypted data c using the parameter param included in the public parameter pk stored in the key management unit 150 as shown in Expression 38 by the processing device. To do.
<Formula 38>
c _{d + 1} : = e (g, g) ^ζ · m

Further, the encrypted data generation unit 110, the processing device, the domain public key dpk stored in the key management unit 150, an encrypted E (r) and r, theta ₁ the encrypted E (θ ₁₎ and Is generated.
Further, the encrypted data generation unit 110 generates user identification information indicated by the attribute information set to the element c ₁ as the user list ul.

(S12: First data transmission process)
The data transmission unit 120 receives encrypted data c including the elements c ₀ , c ₁ , c ₂ , c _{d + 1} , E (r), E (r), and ul generated by the encrypted data generation unit 110 by the communication device. And transmitted to the encrypted data management apparatus 200.

  The processes from S13 to S17 are the same as those in the first embodiment.

<Encrypted data acquisition processing>
With reference to FIG. 7, the encrypted data acquisition process according to the second embodiment will be described with a focus on differences from the encrypted data acquisition process according to the first embodiment.
The processing from S21 to S24 is the same as that in the first embodiment.

(S25: Generation number changing process)
S25 is also the same as that of the first embodiment in principle. However, how to reset the random number r in the element c ₁ of the encrypted data c are different.
Specifically, the key information setting unit 230 resets the random value r as follows. Here, an element c ₁ ′ obtained by resetting the random value r in the element c ₁ shown in Expression 37 is shown.

When the user identification information included in the user list ul is not included in the revocation information stored in the revocation information management unit 250, the key information setting unit 230 generates an element c ₁ ′ as shown in Expression 39. .
<Formula 39>
c ₁ ′: = (s ₁ e ^→ _1,1 + θ ₁ (1, −1), 0 ⁿ¹ , 0 ⁿ¹ , η ₁ ) B ₁
That is, r is reset to -1. -1 after resetting r is an initial value of −1 × generation number.
Note that by performing the calculation shown in Expression 40, the element c ₁ ′ shown in Expression 39 can be obtained from the element c ₁ shown in Expression 37.
<Formula 40>
c ₁ ′: = c ₁ −θ ₁ rb _1,2 −θ ₁ b _1,2
Here, r and θ ₁ are obtained by decrypting the elements E (r) and E (θ ₁ ) of the encrypted data c with the domain secret key dsk stored in the key management unit 260. In addition, b _1,1 , b ₁ , ₂ are obtained from the base B included in the public parameter pk.

When the user identification information included in the user list ul is included in the revocation information stored in the revocation information management unit 250, the key information setting unit 230 generates an element c ₁ ′ as shown in Expression 41. .
<Formula 41>
c ₁ ′: = (s ₁ e ^→ _1,1 + θ ₁ (1, −ρ ₁ ), 0 ⁿ¹ , 0 ⁿ¹ , η ₁ ) B ₁
In other words, re-set the r to -ρ _1. -ρ _{1 obtained} by resetting r is −1 × (the value of the generation number of the revoked user secret key k ^* + 1). That is, when the user A is included in the user list ul and 1 is included in the revocation list as the generation number of the user secret key k ^* of the revoked user A, −ρ ₁ is −1 × (1 + 1) = −2.
In addition, by performing the calculation shown in Expression 42, the element c ₁ ′ shown in Expression 41 can be obtained from the element c ₁ shown in Expression 37.
<Formula 42>
c ₁ ′: = c ₁ −θ ₁ rb _{1, 2} −θ ₁ ρ ₁ b _{1, 2}

  S26 is the same as that in the first embodiment.

S27 is also the same as that of the first embodiment in principle. However, the decoding method is different.
Here, the decryption unit 140 decrypts the encrypted data c ′ with the user secret key k ^* by executing the calculation shown in Expression 43 by the processing device, and extracts the message m ′.
<Formula 43>
m ′: = c _{d + 1} / (e (c ₀ , k ^* ₀ ) · Π _{t = 1} ^L e (c _t , k ^* _t ))

As described above, t = 1,. . . , L, the attribute information set for the element k ^* _t in the user secret key k ^* (v ^→ _t ) and the attribute information set for the element c _t in the encrypted data c (x ^→ _t ) Corresponds to the extracted m ′ = m. In this case, attribute information or the like (v ^→ _t ) and attribute information or the like (x ^→ _t ) correspond to v ^→ _t · x ^→ _t = Σ _{i = 1} ^nt v _{t, i} · x _{t, i} = 0.

It is assumed that the user terminal 100 has a user secret key k ^* that is generated first and has a generation number value of 1. That is, it is assumed that the user terminal 100 has the user secret key k ^* shown in Expression 44 in which 1 is set in ρ of Expression 35.
<Formula 44>
_{^{k * 0: = (δ,}} 0,1, φ 0, 0) B * 0
k ^* ₁ : = (δ (1,1), 0 ⁿ¹ , φ ^→ ₁ , 0) B ^* ₁
k ^* ₂ : = (δ (α, 1), 0 ⁿ² , φ ^→ ₂ , 0) B ^* ₂
Further, in S11, the element _{c 1} of the encrypted data c is assumed to be generated as shown in Equation 45 (= Equation 37).
<Formula 45>
c ₀ : = (− s ₀ , 0, ζ, 0, η ₀ ) B ₀
c ₁ : = (s ₁ e ^→ _1,1 + θ ₁ (1, r), 0 ⁿ¹ , 0 ⁿ¹ , η ₁ ) B ₁
c ₂ : = (s ₂ e ^→ _2,1 + θ ₂ (1, −α), 0 ⁿ² , 0 ⁿ² , η ₂ ) B ₂

If the user identification information included in the user list ul is not included in the revocation information, the element c ₁ ′ is generated as shown in Expression 46 (= Expression 39).
<Formula 46>
c ₁ ′: = (s ₁ e ^→ _1,1 + θ ₁ (1, −1), 0 ⁿ¹ , 0 ⁿ¹ , η ₁ ) B ₁
In this case, in the user secret key k ^* , v _1,1 , v _1,2 set to the coefficients of the basis vectors b ^* _1,1 , b ^* _1,2 of the basis B ^* ₁ are v _1,1 = 1, v _1,2 = 1. In addition, in the element c ₁ ′, x _1,1 , x _1,2 set to the coefficients of the basis vectors b _1,1 , b _1,2 of the basis B ₁ are x _1,1 = 1, x _{1, 2} = -1. Therefore, v ^→ ₁ · x ^→ ₁ = Σ _{i = 1} ² v _{1, i} · x _{1, i} = 1-1 = 0. Further, the user private key ^{k *,} basis vectors of the basis ^{_{B * 2 b * 2,1, b}} * 2,2 v 2,1 set to the coefficient _{of, v 2, 2 is, v 2,1} = alpha , V _2,2 = 1. Further, in the elements _{c 1} ', a basis vector _b 2,1 of the base _{B 2, b x} 2,1 set to the coefficient of _{2, 2, x 2, 2 is, x 2,1 = 1, x 2} , ₂ = −α. Therefore, it is ^{_{v → 2 · x → 2 =}} Σ i = 1 2 v 2, i · x 2, i = α-α = 0. Therefore, the message m ′ extracted in S26 is equal to the message m set in the element cd _{+ 1} of the encrypted data c in S11.
That is, the encrypted data c can be decrypted with the user secret key k ^* .

On the other hand, when the user identification information included in the user list ul is included in the revocation information, the element c ₁ ′ is generated as shown in Expression 47. Here, it is assumed that the user secret key k ^* whose generation number is 1 has expired.
<Formula 47>
c ₁ ′: = (s ₁ e ^→ _1,1 + θ ₁ (1, −2), 0 ⁿ¹ , 0 ⁿ¹ , η ₁ ) B ₁
In this case, v _1,1 = 1, v _1,2 = 1, and x _1,1 = 1, x _1,2 = -2, so v ^→ ₁ · x ^→ ₁ = Σ _{i = 1} ² v _{1, i} · x _{1, i} = 1-2 ≠ 0. Therefore, the message m ′ extracted in S26 is not equal to the message m set in the element cd _{+ 1} of the encrypted data c in S11.
That is, the encrypted data c cannot be decrypted with the expired user secret key k ^* .

However, the user terminal 100, asked to re-generate the user secret key k ^* to the key generation device 400, and has obtained the user secret key k ^* 2 is attached as the value of the generation number. That is, it is assumed that the user terminal 100 has acquired the user secret key k ^* shown in Expression 48 in which 2 is set in ρ of Expression 35.
<Formula 48>
_{^{k * 0: = (δ,}} 0,1, φ 0, 0) B * 0
k ^* ₁ : = (δ (2,1), 0 ⁿ¹ , φ ^→ ₁ , 0) B ^* ₁
k ^* ₂ : = (δ (α, 1), 0 ⁿ² , φ ^→ ₂ , 0) B ^* ₂
In this case, v _1,1 = 2 and v _1,2 = 1, and x _1,1 = 1, x _1,2 = −2, so v ^→ ₁ · x ^→ ₁ = Σ _{i = 1} ² v _{1, i} · x _{1, i} = 2-2 = 0. Further, v ^→ ₂ · x ^→ ₂ = Σ _{i = 1} ² v _{2, i} · x _{2, i} = α−α = 0. Therefore, the message m ′ extracted in S26 is equal to the message m set in the element cd _{+ 1} of the encrypted data c in S11.
That is, when the user secret key k ^* is lost, the encrypted data c can be decrypted by regenerating the user secret key k ^* .

It is also conceivable that the user terminal 100 acquires the encrypted data c from the encrypted data storage device 300 without going through the encrypted data management device 200. However, in this case, the element c ₁ of the encrypted data c is as shown in Expression 49 (= Expression 37).
<Formula 49>
c ₁ : = (s ₁ e ^→ _1,1 + θ ₁ (1, r), 0 ⁿ¹ , 0 ⁿ¹ , η ₁ ) B ₁
In this case, since the random value r is used, Σ _{i = 1} ² v _{1, i} · x _{1, i} ≠ 0 regardless of the number of generation numbers set in the user secret key k ^* . Cannot decrypt.

  As described above, the cryptographic processing system 10 according to the second embodiment can obtain the same effects as the cryptographic processing system 10 according to the first embodiment.

In the above description, the element c ₁ of the encrypted data c is generated as shown in Expression 36. However, as shown in Expression 50, the element c ₁ may be generated without using the random value θ ₁ . This is because r itself is a random value and it is not necessary to multiply the random value.
<Formula 50>
c ₁ : = (s ₁ e ^→ _1,1 + (1, r), 0 ⁿ¹ , 0 ⁿ¹ , η ₁ ) B ₁

Further, as shown in Expression 51, the element c ₁ may be generated by encrypting the entire element c ₁ with the domain public key without setting a random value in the basis vector for setting the key information. By setting a random value to the basis vector for setting the key information, when the user terminal 100 directly obtains the encrypted data c from the encrypted data storage device 300, it cannot be decrypted. However, the same effect can be obtained by encrypting the other parts with the domain public key.
<Formula 51>
c ₁ : = E (s ₁ e ^→ _1,1 , 0, ⁿ ₁ , 0 ^{n 1} , η ₁ ) B ₁

Embodiment 3 FIG.
In the first embodiment, the user terminal 100 directly moves from the encrypted data storage device 300 by setting the random values r ₁ and r ₂ to the basis vector in which the key information in the element c ₁ of the encrypted data c is set. The security when the encrypted data c was acquired was maintained. Similarly, in the second embodiment, the user terminal 100 directly encrypts data from the encrypted data storage device 300 by setting a random value r as a base in which the key information in the element c ₁ of the encrypted data c is set. The safety when data c was acquired was maintained.
In the third embodiment, the user terminal 100 obtains the encrypted data c directly from the encrypted data storage device 300 by performing access control to the encrypted data storage device 300 while simplifying the setting of the encrypted data c. Explain how to keep safe when you try.
In the third embodiment, a case where the process according to the first embodiment is applied will be described. However, the case where the process according to the second embodiment is applied can be similarly realized.

  The configuration of the cryptographic processing system 10 is the same as the configuration of the cryptographic processing system 10 according to the first embodiment shown in FIG. The configurations of the user terminal 100 and the key generation device 400 are the same as the configurations of the user terminal 100 and the key generation device 400 according to Embodiment 1 shown in FIGS.

FIG. 8 is a configuration diagram of the encrypted data management apparatus 200 according to the third embodiment.
The encrypted data management apparatus 200 according to Embodiment 3 includes an authentication processing unit 270 in addition to the functions of the encrypted data management apparatus 200 according to Embodiment 1 shown in FIG.

FIG. 9 is a configuration diagram of the encrypted data storage device 300 according to the third embodiment.
The encrypted data storage device 300 according to Embodiment 3 includes an authentication processing unit 350 in addition to the functions of the encrypted data storage device 300 according to Embodiment 1 shown in FIG.

The three preconditions are basically the same as in the first embodiment.
However, in Embodiment 1, the base vectors b ₁ and b ₂ of the base B included in the public parameter pk are removed from the public parameter pk and transmitted only from the key generation device 400 to the encrypted data management device 200. . At this time, a secure communication path using SSL or the like is used in order to prevent eavesdropping and tampering.

<Encrypted data registration process>
FIG. 10 is a flowchart showing a flow of encrypted data registration processing according to the third embodiment.
(S31: Encryption processing)
The encrypted data generation unit 110 of the user terminal 100 generates the encrypted data c by executing the Enc algorithm as in S11 of FIG.

Here, the encrypted data generation unit 110 generates the element c ₁ of the encrypted data c as shown in Expression 52 by the processing device.
<Formula 52>
c ₁ : = ω (x ₃ b ₃ + x ₄ b ₄ ) + ζb ₅ + φb ₆
Here, ω, ζ, and φ are random values. In x ₃ and x ₄ , attribute information of a user who can decrypt the encrypted data c is set.
When the value of the attribute information is α, the encrypted data c is generated here as shown in Expression 53.
<Formula 53>
c ₁ : = ω (b ₃ −αb ₄ ) + ζb ₅ + φb ₆
That is, x ₃ : = 1, x ₄ : = − α.

The encrypted data generation unit 110 also generates the elements c2, E (ω ₁ r ₁ ), E (ω ₁ r ₂ ), and ul in the same manner as S11 in FIG.

(S32: first authentication information transmission process)
The data transmission unit 120 of the user terminal 100 transmits user identification information and a password to the encrypted data management apparatus 200 as authentication information by the communication apparatus.

(S33: First authentication process)
The data receiving unit 210 of the encrypted data management apparatus 200 receives the user identification information and the password from the user terminal 100 through the communication apparatus.
Then, the authentication processing unit 270 of the encrypted data management apparatus 200 performs user authentication based on the user identification information and the password. For example, the authentication processing unit 270 stores identification information and a password for each user in advance, and performs authentication based on whether or not the received identification information and password match the stored identification information and password. The authentication processing unit 270 advances the process to S34 when the authentication is successful, and ends the process when the authentication fails.
(S34: First data transmission process)
The data transmission unit 120 of the user terminal 100 transmits the encrypted data c to the encrypted data management apparatus 200 as in S12 of FIG.

(S35: Second authentication information transmission process)
The data receiving unit 210 of the encrypted data management device 200 receives the encrypted data c from the user terminal 100 by the communication device. Then, the data transmission unit 240 transmits the identification information and password of the encrypted data management device 200 to the encrypted data storage device 300 as authentication information.

(S36: Second authentication process)
The data receiving unit 310 of the encrypted data storage device 300 receives the identification information and password of the encrypted data management device 200 from the user terminal 100 through the communication device.
Then, the authentication processing unit 350 of the encrypted data storage device 300 performs an authentication process based on the identification information and password of the encrypted data management device 200. For example, the authentication processing unit 350 stores the identification information and password of the encrypted data management apparatus 200 in advance, and determines whether or not the received identification information and password match the stored identification information and password. Certify. The authentication processing unit 350 advances the process to S37 if the authentication is successful, and ends the process if the authentication fails.

(S37: Second data transmission process)
The data transmission unit 240 of the encrypted data management apparatus 200 attaches the related information r to the encrypted data c and transmits it to the encrypted data storage apparatus 300.

  The processing from S38 to S41 is the same as the processing from S14 to S17 shown in FIG.

<Encrypted data acquisition processing>
FIG. 11 is a flowchart showing a flow of encrypted data acquisition processing according to the third embodiment.
(S51: First authentication information transmission process)
The data transmission unit 120 of the user terminal 100 transmits user identification information and a password to the encrypted data management apparatus 200 as authentication information by the communication apparatus.

(S52: first authentication process)
The data receiving unit 210 of the encrypted data management apparatus 200 receives the user identification information and the password from the user terminal 100 through the communication apparatus.
Then, the authentication processing unit 270 of the encrypted data management apparatus 200 performs user authentication based on the user identification information and the password. For example, the authentication processing unit 270 performs authentication by the same method as S33. The authentication processing unit 270 advances the process to S53 when the authentication is successful, and ends the process when the authentication fails.

(S53: Keyword transmission process)
The data transmission unit 120 of the user terminal 100 transmits a keyword capable of specifying the encrypted data c to the encrypted data management device 200 by the communication device.

(S54: Second authentication information transmission process)
The data receiving unit 210 of the encrypted data management apparatus 200 receives the keyword from the user terminal 100 by the communication apparatus. Then, the data transmission unit 240 transmits the identification information and password of the encrypted data management device 200 to the encrypted data storage device 300 as authentication information.

(S55: Second authentication process)
The data receiving unit 310 of the encrypted data storage device 300 receives the identification information and password of the encrypted data management device 200 from the user terminal 100 through the communication device.
Then, the authentication processing unit 350 of the encrypted data storage device 300 performs an authentication process based on the identification information and password of the encrypted data management device 200. For example, the authentication processing unit 350 performs authentication by the same method as S36. The authentication processing unit 350 advances the process to S56 when the authentication is successful, and ends the process when the authentication fails.

(S56: Keyword transfer process)
The data transmission unit 240 of the encrypted data management device 200 transmits the keyword to the encrypted data storage device 300 through the communication device.

  The processing from S57 to S58 is the same as the processing from S23 to S24 shown in FIG.

(S59: Authority determination process)
The data receiving unit 210 of the encrypted data management device 200 receives the encrypted data c from the encrypted data storage device 300 through the communication device.
Then, the authentication processing unit 270 of the encrypted data management device 200 determines whether or not the user identification information received in S52 is included in the user list ul of the encrypted data c by the processing device. If it is included, the authentication processing unit 270 advances the process to S60. If not included, the authentication processing unit 270 ends the process.

(S60: Generation number changing process)
The revocation determination unit 220 of the encrypted data management apparatus 200 determines whether or not the identification information of the user included in the user list ul of the encrypted data c is included in the revocation information stored in the revocation information management unit 250 by the processing device. To determine. The key information setting unit 230 sets the element c ₁ of the encrypted data c to a different value according to the determination result of the revocation determination unit 220 by the processing device, and generates the element c ₁ ′.
Specifically, the key information setting unit 230 sets a value for the element c ₁ as follows. Here, showing elements c _{1 'obtained} by setting the value to the element c ₁ shown in Equation 53.

When the user identification information included in the user list ul is not included in the revocation information stored in the revocation information management unit 250, the key information setting unit 230 uses the element c as shown in Expression 54 (= Expression 10). ₁ 'is generated.
<Formula 54>
c ₁ ′: = ω ₁ (b ₁ −b ₂ ) + ω ₂ (b ₃ −αb ₄ ) + ζb ₅ + φb ₆
That is, 1 is set as the coefficient of the basis vector b ₁ and −1 is set as the coefficient of the basis vector b ₂ . −1 reset to the coefficient of the basis vector b ₂ is an initial value of −1 × generation number.

Note that by performing the calculation shown in Expression 55, the element c ₁ ′ shown in Expression 54 can be obtained from the element c ₁ shown in Expression 53.
<Formula 55>
c ₁ ′: = c ₁ + (ω ₁ b ₁ −ω ₁ b ₂ )

When the user identification information included in the user list ul is included in the revocation information stored in the revocation information management unit 250, the key information setting unit 230 uses the element c as shown in Expression 56 (= Expression 12). ₁ 'is generated.
<Formula 56>
c ₁ ′: = ω ₁ (b ₁ −ρ ₁ b ₂ ) + ω ₂ (b ₃ −αb ₄ ) + ζb ₅ + φb ₆
That is, 1 is set as the coefficient of the basis vector b ₁ , and −ρ ₁ is set as the coefficient of the basis vector b ₂ . -Ρ ₁ set as the coefficient of the basis vector b ₂ is −1 × (the value of the generation number of the revoked user secret key k ^* + 1).
Note that by performing the calculation shown in Expression 57, the element c ₁ ′ shown in Expression 56 can be obtained from the element c ₁ shown in Expression 53.
<Formula 57>
c ₁ ′: = c ₁ + (ω ₁ b ₁ −ω ₁ ρ ₁ b ₂ )

  The processing from S61 to S62 is the same as the processing from S26 to S27 shown in FIG.

  As described above, the cryptographic processing system 10 according to the third embodiment authenticates the encrypted data management device 200 and the encrypted data storage device 300, respectively. Thereby, it is possible to prevent the encrypted data c from being directly acquired from the encrypted data storage device 300 by the user terminal 100. Therefore, safety can be maintained without setting a random value in the encrypted data c.

  The cryptographic processing system 10 according to the third embodiment can prevent unauthorized data from being registered in the encrypted data storage device 300 in the encrypted data registration process.

  In the above description, authentication is performed by the encrypted data management device 200 and the encrypted data storage device 300, respectively. However, the encrypted data management apparatus 200 may not perform authentication and only the encrypted data storage apparatus 300 may perform authentication. When at least the encrypted data storage device 300 performs authentication, the user terminal 100 can directly acquire the encrypted data c from the encrypted data storage device 300, or illegal data is registered in the encrypted data storage device 300. Can be prevented.

In the above description, the case where the process according to the first embodiment is applied has been described. When the process according to the second embodiment is applied, the process flow is the same as when the process according to the first embodiment is applied. However, the element c ₁ generated in S31 and the element c ₁ ′ generated in S60 are different from the case where the processing according to the first embodiment is applied.
When the process according to the second embodiment is applied, the element c ₁ generated in S31 is expressed by Expression 58.
<Formula 58>
c ₁ : = (s ₁ e ^→ ₁ , ₁ , 0 ⁿ ₁ , 0 ^{n 1} , η ₁ ) B ₁
Further, when the process according to the second embodiment is applied, the element c ₁ ′ generated in S60 is expressed by Expression 39 and Expression 41.
Further, the base B ₁ included in the public parameter pk in the second embodiment is removed from the public parameter pk and transmitted only from the key generation device 400 to the encrypted data management device 200. At this time, a secure communication path using SSL or the like is used in order to prevent eavesdropping and tampering.

Here, the method of assigning key information and attribute information to the user secret key k ^* and the encrypted data c in the above embodiment is an example, and other methods may be used.
For example, in the first embodiment, if the attribute information is alpha, the user secret key k ^*, alpha as the coefficients of the basis vector b ^* _3, 1 is set as the coefficient of the basis vector b ^* _4. For the element c ₁ of the encrypted data c, ₁ is set as the coefficient of the base vector b ₃ and −α is set as the coefficient of the base vector b ₄ . However, for example, for the user private key ^{k *,} 1 as coefficients of basis vectors ^b _{* 3,} alpha as the coefficient of the basis vector ^b _{* 4} are set, elements _{c 1} of the encrypted data c, basis vector _{b 3} -α as the coefficient of 1 as the coefficient of the basis vector b ₄ may be set.
In addition, instead of simply changing the basis vectors for setting values in this way, key information and attribute information may be assigned by a completely different method. Regardless of the allocation method, the revocation method according to the above embodiment can be applied.

In the above embodiment, the method of applying the key revocation method to the functional encryption methods described in Non-Patent Documents 1 and 2 has been described.
However, the key revocation method according to the above embodiment is not limited to the functional encryption method described in Non-Patent Documents 1 and 2, but is a function that applies the functional encryption method described in Non-Patent Documents 1 and 2. It is also possible to apply to the type encryption method.
Further, the key revocation method according to the above embodiment is not limited to the functional encryption method but can be applied to other encryption methods.

In the above embodiment, the case where the message m is transmitted using the functional encryption method has been described.
In encryption using a public key cryptosystem, a so-called hybrid cryptosystem is usually used in which data is encrypted with a common key and then the common key is encrypted with the user's public key. In the hybrid encryption method, a common key encrypted with the user's public key is attached to the encrypted data.
In the hybrid encryption method, by deleting the encrypted common key from the encrypted data, the data encrypted with the common key cannot be decrypted. However, the functional encryption method encrypts data that can be decrypted with a plurality of secret keys with one public key. Therefore, if a common key is attached with the same mechanism, only one encrypted common key is assigned to a plurality of secret keys. In other words, if one user expires, there is no other way but to re-encrypt it in the conventional manner.
However, if the key revocation method according to the above embodiment is used, key revocation can be realized even in the case of a hybrid encryption method using a functional encryption method. In the case of the hybrid encryption method, a common key (or common key generation source data) for encrypting content is set as the message m.

FIG. 12 is a diagram illustrating an example of a hardware configuration of the user terminal 100, the encrypted data management device 200, the encrypted data storage device 300, and the key generation device 400.
As shown in FIG. 12, the user terminal 100, the encrypted data management device 200, the encrypted data storage device 300, and the key generation device 400 include a CPU 911 (Central Processing Unit, a central processing unit, a processing device, An arithmetic device, a microprocessor, a microcomputer, and a processor). The CPU 911 is connected to the ROM 913, the RAM 914, the LCD 901 (Liquid Crystal Display), the keyboard 902 (K / B), the communication board 915, and the magnetic disk device 920 via the bus 912, and controls these hardware devices. Instead of the magnetic disk device 920 (fixed disk device), a storage device such as an optical disk device or a memory card read / write device may be used. The magnetic disk device 920 is connected via a predetermined fixed disk interface.

  The ROM 913 and the magnetic disk device 920 are examples of a nonvolatile memory. The RAM 914 is an example of a volatile memory. The ROM 913, the RAM 914, and the magnetic disk device 920 are examples of a storage device (memory). The keyboard 902 and the communication board 915 are examples of input devices. The communication board 915 is an example of a communication device. Furthermore, the LCD 901 is an example of a display device.

  An operating system 921 (OS), a window system 922, a program group 923, and a file group 924 are stored in the magnetic disk device 920 or the ROM 913. The programs in the program group 923 are executed by the CPU 911, the operating system 921, and the window system 922.

The program group 923 includes “encrypted data generation unit 110”, “data transmission unit 120”, “data reception unit 130”, “decryption unit 140”, “data reception unit 210”, “revocation determination unit” in the above description. 220 ”,“ key information setting unit 230 ”,“ data transmission unit 240 ”,“ authentication processing unit 270 ”,“ data reception unit 310 ”,“ data operation unit 320 ”,“ data transmission unit 330 ”,“ instruction reception unit ” Software, programs, and other programs that execute the functions described as “410”, “key generation unit 420”, “key transmission unit 430”, and the like are stored. The program is read and executed by the CPU 911.
The file group 924 includes “key management unit 150”, “revocation information management unit 250”, “key management unit 260”, “encrypted data management unit 340”, “master key storage unit 440”, and the like in the above description. Stored information, data, signal values, variable values, and parameters are stored as items of “file” and “database”. The “file” and “database” are stored in a recording medium such as a disk or a memory. Information, data, signal values, variable values, and parameters stored in a storage medium such as a disk or memory are read out to the main memory or cache memory by the CPU 911 via a read / write circuit, and extracted, searched, referenced, compared, and calculated. Used for the operation of the CPU 911 such as calculation / processing / output / printing / display. Information, data, signal values, variable values, and parameters are temporarily stored in the main memory, cache memory, and buffer memory during the operation of the CPU 911 for extraction, search, reference, comparison, calculation, calculation, processing, output, printing, and display. Is remembered.

In the above description, the arrows in the flowchart mainly indicate input / output of data and signals, and the data and signal values are recorded in a memory of the RAM 914, other recording media such as an optical disk, and an IC chip. Data and signals are transmitted online by a bus 912, signal lines, cables, other transmission media, and radio waves.
In addition, what is described as “to part” in the above description may be “to circuit”, “to device”, “to device”, “to means”, and “to function”. It may be “step”, “˜procedure”, “˜processing”. In addition, what is described as “˜device” may be “˜circuit”, “˜device”, “˜means”, “˜function”, and “˜step”, “˜procedure”, “ ~ Process ". Furthermore, what is described as “to process” may be “to step”. That is, what is described as “˜unit” may be realized by firmware stored in the ROM 913. Alternatively, it may be implemented only by software, or only by hardware such as elements, devices, substrates, and wirings, by a combination of software and hardware, or by a combination of firmware. Firmware and software are stored in a recording medium such as ROM 913 as a program. The program is read by the CPU 911 and executed by the CPU 911. That is, the program causes a computer or the like to function as the “˜unit” described above. Alternatively, the computer or the like is caused to execute the procedures and methods of “to part” described above.

  DESCRIPTION OF SYMBOLS 10 Encryption processing system, 100 User terminal, 110 Encrypted data generation part, 120 Data transmission part, 130 Data reception part, 140 Decryption part, 150 Key management part, 200 Encrypted data management apparatus, 210 Data reception part, 220 Revocation determination , 230 Key information setting unit, 240 Data transmission unit, 250 Revocation information management unit, 260 Key management unit, 270 Authentication processing unit, 300 Encrypted data storage device, 310 Data reception unit, 320 Data operation unit, 330 Data transmission unit 340 Encrypted data management unit, 350 Authentication processing unit, 400 Key generation device, 410 Instruction reception unit, 420 Key generation unit, 430 Key transmission unit, 440 Master key storage unit.

Claims (11)

If the attribute information and key information set in the encrypted data does not correspond to the attribute information and key information set in the secret key, the encryption method cannot decrypt the encrypted data with the secret key. An encrypted data management device that manages encrypted data,
A data acquisition unit that acquires encrypted data set with attribute information from a storage device;
A revocation determination unit that determines whether the user having the attribute information set in the encrypted data acquired by the data acquisition unit includes a user whose private key has been revoked;
A key information setting unit that sets a different value in the encrypted data as the key information depending on whether or not the revocation determination unit determines that a user whose private key has been revoked;
An encrypted data management apparatus comprising: a data transmission unit that transmits encrypted data in which the key information setting unit sets key information to a user terminal. The data acquisition unit acquires encrypted data in which a random value is set as the key information,
The encrypted data management apparatus according to claim 1, wherein the key information setting unit resets the key information set in the encrypted data acquired by the data acquisition unit to the different value. The encrypted data management device further includes:
It has a revocation information management unit that manages the generation number of revoked private keys,
When it is determined that the user whose secret key has expired is not included, the key information setting unit sets the initial value of the generation number as the key information, and includes the user whose secret key has expired 2. The encrypted data management apparatus according to claim 1, wherein a value different from a generation number managed by the revocation information management unit is set as the key information. The data acquisition unit acquires, as the encrypted data, an encryption vector in which the attribute information is set to a coefficient of a base vector A that is a partial base vector in a predetermined base B,
The encrypted data management apparatus according to claim 1, wherein the key information setting unit sets the different value to a coefficient of a base vector K that is a base vector different from the base vector A in the base B. . The data acquisition unit acquires encrypted data including the encryption vector in which a random value is set as a coefficient of the base vector K, and an encrypted random number value in which the random value is encrypted,
The key information setting unit decrypts the encrypted random number value to obtain the random number value, subtracts a vector in which the random value is set as a coefficient of the base vector K from the encrypted vector, and the base vector K 5. The encrypted data management apparatus according to claim 4, wherein a vector in which the different value is set as the coefficient is added to the encrypted vector. The data acquisition unit acquires the encryption vector in which the coefficient of the base vector K is set to 0 as the encryption data,
5. The encrypted data management apparatus according to claim 4, wherein the key information setting unit adds a vector in which the different value is set to a coefficient of the base vector K to the encrypted vector. The data acquisition unit includes t = 1,. . . , N (n is an integer equal to or greater than 2), an attribute vector in which the attribute information is set to a coefficient of a base vector of an attribute base that is a partial base of the base B ^[t] for each t, and the base B ^[ an encryption vector including a key information vector of a key information base that is a base different from the attribute base at ^t] is obtained as the encrypted data,
The encrypted data management apparatus according to claim 1, wherein the key information setting unit sets the key information vector to a vector in which the different value is set as a coefficient of a base vector of the key information base. The data acquisition unit includes, as the key information vector, a vector in which a random value is set as a coefficient of a predetermined basis vector K among the basis vectors of the key information basis, and the random value is encrypted. The encrypted data including the encrypted random number value,
The key information setting unit decrypts the encrypted random number value to obtain the random value, subtracts a vector in which the random value is set as a coefficient of the basis vector K from the key information vector, and The encrypted data management apparatus according to claim 7, wherein a vector in which the different value is set as the coefficient is added to the key information vector. The data acquisition unit acquires, as the encrypted data, the encryption vector in which a coefficient of the predetermined base vector K among the base vectors of the key information base is set to 0,
The encrypted data management apparatus according to claim 7, wherein the key information setting unit adds a vector in which the different value is set to a coefficient of the base vector K to the key information vector. If the attribute information and key information set in the encrypted data does not correspond to the attribute information and key information set in the secret key, the encryption method cannot decrypt the encrypted data with the secret key. An encrypted data management method for managing encrypted data,
A data acquisition step in which the communication device acquires encrypted data in which the attribute information is set from the storage device;
A revocation determination step of determining whether or not the user having the attribute information set in the encrypted data acquired in the data acquisition step includes a user whose secret key has been revoked,
A key information setting step for setting a different value in the encrypted data as the key information depending on whether or not the processing device includes a user whose private key has been revoked, as determined in the revocation determination step;
An encrypted data management method, comprising: a data transmission step in which the communication device transmits the encrypted data in which the key information is set in the key information setting step to the user terminal. If the attribute information and key information set in the encrypted data does not correspond to the attribute information and key information set in the secret key, the encryption method cannot decrypt the encrypted data with the secret key. An encrypted data management program for managing encrypted data,
A data acquisition process for acquiring encrypted data set with attribute information from a storage device;
Revocation determination processing for determining whether the user having the attribute information set in the encrypted data acquired in the data acquisition processing includes a user whose secret key has been revoked;
A key information setting process for setting a different value in the encrypted data as the key information depending on whether or not it is determined in the revocation determination process that a user whose secret key has expired is included;
An encrypted data management program for causing a computer to execute a data transmission process for transmitting encrypted data in which key information is set in the key information setting process to a user terminal.

Images